Blackhole Creator on Quest to Expand Exploit Empire

The gang behind the notorious Blackhole exploit kit is branching out into new markets with a new crimeware kit and a $100,000 budget.

The creator of the tremendously popular Blackhole exploit kit has "begun buying up custom exploits to bundle into a far more closely-held and expensive exploit pack," security researcher and writer Brian Krebs noted on his blog, Krebs on Security. The group has set aside $100,000 to purchase browser and browser plug-in vulnerabilities to include in Cool Exploit, according to some posts Krebs found on underground forums.

According to these posts, these exploits will be owned and used exclusively by the group and would not be disclosed or released to the public, Krebs said. The group will be buying "weaponized (Ready) exploits" as well as their descriptions and proofs of concept so that other people won't be able to use those exploits, according to the postings.

"The author has begun buying up custom exploits to bundle into a far more closely-held and expensive exploit pack, one that appears to be fueling a wave of increasingly destructive online extortion schemes," Krebs wrote, referring to Paunch, Blackhole's creator.

Criminals use exploit kits to infect legitimate websites with malicious code so that when visitors come to the site, they are either served up a cocktail of malware in a drive-by-download attack or redirected to a different site for the payload. The toolkits are frequently updated with new exploits to help criminals successfully compromise more victims. If Cool Exploit really winds up getting exclusive access to exploits, it will have an advantage over other toolkits, wrote Blue Coat's Jeff Doty.

"This could give Cool a significant leg up on the competition with other exploit kits," Doty said.

While aspiring criminals can rent Blackhole for about $700 a month or take advantage of a hosting solution for $500 a month, Cool Exploit with its collection of advanced exploits will cost $10,000 per month, Blackhole creator Paunch told Krebs. While the higher price tag may deter some criminals from using the new crimeware kit, for others, it may well be a small cost of doing business. According to Symantec, one of the ransomware gangs using Cool Exploit is generating nearly $400,000 in profits each month. Considering those kind of numbers, $10,000 for the exploit kit is pocket change.

Security experts have suspected for a while the group behind the new Cool Exploit toolkit was the same as Blackhole, as sophisticated exploits were added to both toolkits over a short period of time. A French researcher named Kafeine observed a Windows exploit appear first in Cool Exploit and then in Blackhole. After a Java exploit was added to Cool Exploit, he correctly predicted it will soon show up in Blackhole.

"Be ready to see same kind of post for Blackhole 2.0 (or update to 2.1) soon, as chances are HUGE that Paunch is indeed behind Cool EK code," Kafeine wrote, back in November.

Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.